3730.US.P 
Young, et al 
10/016,558 

In the Claims 

1 . (previously presented) In a network comprising a first oloctronic devic e 
and a s e eond el e ctronic d e vioo, a method A method for authenticating access 
to a controlled network, said method comprising: 

a) authenticating said oocond oloctronic dovic o to said first 
e l e ctronic dovice. said first eloctronio devic e an authentication server to an 
unauthenticated client device communicatively coupled to said second 
oloctronic dovice, said socond eloctronic dovico an the authentication server; 

b) authenticating said first electronic device to said second 
electronic dovico, said first electronic dovico a the unauthenticated client 
device to the authentication server to produce an authenticated client device : 

c) determining generating a key at said first electronic dovice and 
at said second electronic device the authenticated client device and the 
authentication server ; and 

d) authenticating a user to a central authentication server using the 
authenticated client device and the key . 

2. (withdrawn) The method of Claim 1 wherein said first electronic device is 
a client device and said second electronic device is a network device. 

3. (withdrawn) The method of Claim 2 wherein said step a) comprises: 

receiving a first message from said client device at said network 
device, said first message comprising a device identifier and a first random 

number; 

receiving a second message from said network device at said client 
device, said second message comprising a second random number and a first 
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digest, said first digest comprising a one-way hash function operating on 
said first random number, said device identifier, and a first secret shared 
between said network device and said client device; 

determining a second digest at said client device, said second digest 
comprising a one-way hash function operating on said first random number, 
said device identifier, and said first secret; 

comparing said first digest to said second digest at said client device; 

and 

provided said first digest matches said second digest, authenticating 
said network device to said client device. 

4. (withdrawn) The method of Claim 2 wherein said step b) comprises: 

receiving a third message fi*om said client device at said network 
device, said third message comprising a third digest, said third digest 
comprising a one-way hash function operating on said second random 
number, said device identifier, and said first secret; 

determining a fourth digest at said network device, said fourth digest 
comprising said second random number, said device identifier, and said first 
secret; 

comparing said third digest to said fourth digest at said client device; 

and 

provided said third digest matches said fourth digest, authenticating 
said client device to said network device. 

5. (withdrawn) The method as recited in Claim 2 wherein step c) comprises: 

determining a fifth digest at said network device, said fifth digest 
comprising said device idendfier received from said client device, said first 
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secret, said first random number, and said second random number, said fifth 
digest from which said network device selects bits and determines said key; 
and 

calculating a sixth digest at said client device, said sixth digest 
comprising said device identifier, said first secret, said first random number 
and said second random number, said sixth digest from which said client 
device selects bite and determines said key. 

6. (withdrawn) The method as recited in Claim 2 wherein said step d) 
comprises: 

transmitting a request for a user_name and a user_credentials to said 
client device. 

sending said user name and said user_credentials to said network 
device fi"om said client device; 

forwarding said user name and said user_credentials to said central 
authentication server fi-om said network device; and 

employing said user name and said user credentials for 
authenticating said user at said central authentication server. 

7. (withdrawn) The method as recited in Claim 6 further comprising: 

provided said user is authenticated at said central authentication 
server: 

sending a success message to said network device at said 
central authentication server; 

forwarding said success message to said client device at said 
network device; 

allowing said client device to access said controlled network at 
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said network device; and 

provided said user is not authenticated at said central authentication 
server: 

sending a failure message to said network device at said central 
authentication server; 

forwarding said failure message to said client device at said 
network device; 

disallowing said client device access to said controlled network 
at said network device. 

8. (currently amended) The method as recited in Claim 1 wherein said 
authentication server is-a is the central authentication server. 

9. (currently amended) The method of Claim 8 wherein a network device is 
employed for providing an interface between said unauthenticated client 
device and said central authentication server. 

10. (currently amended) The method of Claim 9 wherein step a) comprises: 

receiving a first standard message from said unauthenticated client 
device at said network device; 

forwarding said first standard message to said central authentication 
server from said network device; and 

receiving said first standard message from said network device at said 
central authentication server whereby said unauthenticated client device is 
identified to said central authentication server. 
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1 1 . (currently amended) The method as recited in Claim 10 further 
comprising: 

sending a second standard message to said network device from said 
central authentication server; and 

forwarding said second standard message to said 
unauthenticated client device from said network device, whereby said 
central authentication server is authenticated to said unauthenticated client 
device. 

12. (currently amended) The method as recited in Claim 10 wherein said 
step c) comprises: 

sending a third standard message to said network device from said 
unauthenticated client device; and 

forwarding said third standard message to said central authentication 
server from said network device, whereby said unauthenticated client device 
is authenticated to said central authentication server as the authenticated 
client device . 

13. (original) The method as recited in Claim 10 wherein said first standard 
message comprises a standard EAP-TLS protocol message. 

14. (original) The method as recited in Claim 1 1 wherein said second 
standard message comprises a key exchange from said central authentication 
server to said client device. 

15. (original) The method as recited in Claim 1 1 wherein said second 
standard message comprises a standard EAP-TLS protocol message. 
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16. (original) The method as recited in Claim 12 wherein said third standard 
message comprises a key exchange from said client device to said central 
authentication server. 

17. (original) The method as recited in Claim 12 wherein said third standard 
message comprises a standard EAP-TLS protocol message. 

18. (original) The method as recited in Claim 1 wherein said first electronic 
device and said second electronic device are communicatively coupled by a 
wireless connection. 

19. (original) The method as recited in Claim 1 wherein said first electronic 
device and said second electronic device are communicatively coupled by a 
wired connection. 

20. (withdrawn) The method as recited in Claim 2 wherein said network 
device is a wireless network access point. 

21. (currently amended) A computer system network comprising: 

a central authentication server for authenticating a user to send or 
receive information over a computer system network; 

a firot oloctronic an unauthenticated client device coupled to said 

network; and 

a second oloctronic d e vic e network access point coupled to said 
central authentication server; 

said central authentication server, said firot electronic unauthenticated 
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client device and said oocond e l e ctronic device network access point 
operating in conjunction to perform a method of authenticating access to a 
controlled network, said method comprising: 

a) authenticating said second elee - tronic d e vi ee network access 
point to said first oloctronic unauthenticated client device, said &fsi 
oloctronic unauthenticated client device communicatively coupled to said 
nocnnd oloctronio dovio e network access point: 

b) authenticating said first olootronic unauthenticated client device 
to said aocond oloctronic device network access point to produce an 
authenticated client device: 

c) determining a key at said first oloctronic dovico authenticated 
client device and at said aocond olootronic device network access point : and 

d) authenticating a user to said central authentication serve r using 
the authenticated client device and the key . 

22. (withdrawn) The method of Claim 21 wherein said first electronic device 
is a client device and said second electronic device is a network device. 

23. (withdrawn) The method of Claim 22 wherein said step a) comprises: 

receiving a first message fi*om said client device at said network 
device, said first message comprising a device identifier and a first random 
number; 

receiving a second message fi-om said network device at said client 

device, said second message comprising a second random number and a first 
digest, said first digest comprising a one-way hash fiinction operating on 
said first random number, said device identifier, and a first secret shared 
between said network device and said client device; 
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determining a second digest at said client device, said second digest 
comprising a one-way hash function operating on said first random number, 
said device identifier, and said first secret; 

comparing said first digest to said second digest at said client device; 

and 

provided said first digest matches said second digest, authenticating 
said network device to said client device. 

24. (withdrawn) The method of Claim 22 wherein said step b) comprises: 

receiving a third message from said client device at said network 
device, said third message comprising a third digest, said third digest 
comprising a one-way hash function operating on said second random 
number, said device identifier, and said first secret; 

determining a fourth digest at said network device, said fourth digest 
comprising said second random number, said device identifier, and said first 
secret; 

comparing said third digest to said fourth digest at said client device; 

and 

provided said third digest matches said fourth digest, authenticating 
said client device to said network device. 

25. (withdrawn) The method as recited in Claim 22 wherein step c) 
comprises: 

determining a fifth digest at said network device, said fifth digest 
comprising said device identifier received fi-om said client device, said first 
secret, said first random number, and said second random number, said fifth 
digest fi-om which said network device selects bits and determines said key; 
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and 

calculating a sixth digest at said client device, said sixth digest 
comprising said device identifier, said first secret, said first random number 
and said second random number, said sixth digest jfrom which said client 
device selects bits and determines said key. 

26. (withdrawn) The method as recited in Claim 22 wherein said step d) 
comprises: 

transmitting a request for a user name and a user credentials to said 
client device. 

sending said user_name and said user credentials to said network 
device from said client device; 

forwarding said user_name and said user_credentials to said central 
authentication server from said network device; and 

employing said user_name and said user credentials for 
authenticating said user at said central authentication server. 

27. (withdrawn) The method as recited in Claim 26 further comprising: 

provided said user is authenticated at said central authentication 
server: 

sending a success message to said network device at said 
central authentication server; 

forwarding said success message to said client device at said 
network device; 

allowing said client device to access said controlled network at 
said network device; and 

provided said user is not authenticated at said central authentication 
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server: 



sending a failure message to said network device at said central 
authentication server; 

forwarding said failure message to said client device at said 
network device; 

disallowing said client device access to said controlled network 
at said network device. 

28. (currently amended) The method as recited in Claim 21 wherein said 
first olectronio dovico io a cli e nt dovioo and oaid oeoond oleotronio dovico is a 
network dovico, said notw^ork dovico a network access point is a wireless 
access point . 

29. (currently amended) The method of Claim 28 claim 21 wherein a 
notwnric dovico in employ e d for providing the network access point is an 
interface between said authenticated client device and said central 
authentication server. 

30. (currently amended) The method of Claim 29 wherein step a) comprises: 

receiving a first standard message from said unauthenticated client 

device at said network d e vic e access point ; 

forwarding said first standard message to said central authentication 
server from said network devic e access point: and 

receiving said first standard message from said network device access 
point at said central authentication server whereby said unauthenticated 
client device is identified to said central authentication server. 
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3 1 . (currently amended) The method as recited in Claim 30 further 

comprising: 

sending a second standard message to said network device access 
point from said central authentication server; and 

forwarding said second standard message to said unauthenticated 
client device from said network devic e access point, whereby said central 
authentication server is authenticated to said unauthenticated client device. 

32. (currently amended) The method as recited in Claim 30 wherein said 
step c) comprises: 

sending a third standard message to said network device from said 
unauthenticated client device; and 

forwarding said third standard message to said central authentication 
server from said network dovioo access point, whereby said unauthenticated 
client device is authenticated to said central authentication server. 

33. (original) The method as recited in Claim 30 wherein said first standard 
message comprises a standard EAP-TLS protocol message. 

34. (original) The method as recited in Claim 3 1 wherein said second 
standard message comprises a key exchange from said central authentication 
server to said unauthenticated client device. 

35. (original) The method as recited in Claim 3 1 wherein said second 
standard message comprises a standard EAP-TLS protocol message. 



12 



3730.US.P 
Young, et al. 
10/016,558 

36. (currently amended) The method as recited in Claim 32 wherein said 
third standard message comprises a key exchange from said unauthenticated 
client device to said central authentication server. 

37. (original) The method as recited in Claim 32 wherein said third standard 
message comprises a standard EAP-TLS protocol message. 

38. (cuirently amended) The method as recited in Claim 21 wherein said 
first olootronic unauthenticated client device and said second olootronic 
devic e network access point are communicatively coupled by a wireless 
connection. 

39. (currently amended) The method as recited in Claim 2 1 wherein said 
first oloctronio unauthenticated client device and said second oloctronic 
device network access point are communicatively coupled by a wired 
connection. 

40. (withdrawn) The method as recited in Claim 22 wherein said network 
device is a wireless network access point. 

41. (currently amended) In a computer-usable medium having computer- 
readable program code embodied therein, a computer-implemented method 
for authenticating a firat oloctronic an unauthenticated client device and a 
second oloctronic device network access point , said method comprising: 

a) authenticating said second oloctronic devic e network access 
point to said first electronic unauthenticated client device, said lifst 
oloctronic unauthenticated client device communicatively coupled to said 
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j( M > r.nnH p.lo.ctrontc dovice network access point ; 

b) authenticating said finit oloctronic unautlienticated client device 
to said Gocond electronic dovice network access point to produce an 
authenticated client device ; 

c) determining a key at said firot oloctronic authenticated client 
device and at said sooond electronic device network access point ; and 

d) authenticating a user of the authenticated client device to a 
central authentication server. 

42. (withdrawn) The computer implemented method of Claim 41 wherein 
said first electronic device is a client device and said second electronic 
device is a network device. 

43. (withdrawn) The computer implemented method of Claim 42 wherein 
said step a) comprises: 

receiving a first message from said client device at said network 
device, said first message comprising a device identifier and a first random 
number; 

receiving a second message fi-om said network device at said client 
device, said second message comprising a second random number and a first 

digest, said first digest comprising a one-way hash function operafing on 
said first random number, said device identifier, and a first secret shared 
between said network device and said client device; 

determining a second digest at said client device, said second digest 
comprising a one-way hash function operating on said first random number, 
said device identifier, and said first secret; 

comparing said first digest to said second digest at said client device; 
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and 

provided said first digest matches said second digest, authenticating 
said network device to said client device. 

44. (withdrawn) The computer implemented method of Claim 42 wherein 
said step b) comprises: 

receiving a third message jfrom said client device at said network 
device, said third message comprising a third digest, said third digest 
comprising a one-way hash function operating on said second random 
number, said device identifier, and said first secret; 

determining a fourth digest at said network device, said fourth digest 
comprising said second random number, said device identifier, and said first 
secret; 

comparing said third digest to said fourth digest at said client device; 

and 

provided said third digest matches said fourth digest, authenticating 
said client device to said network device. 

45. (withdrawn) The computer implemented method as recited in Claim 42 
wherein step c) comprises: 

determining a fifth digest at said network device, said fifth digest 
comprising said device identifier received from said client device, said first 
secret, said first random number, and said second random number, said fifth 
digest from which said network device selects bits and determines said key; 
and 

calculating a sixth digest at said client device, said sixth digest 
comprising said device identifier, said first secret, said first random number 
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and said second random number, said sixth digest from which said client 
device selects bits and determines said key. 

46. (withdrawn) The computer implemented method as recited in Claim 42 
wherein said step d) comprises: 

transmitting a request for a user_name and a user_credentials to said 
client device. 

sending said user name and said user_credentials to said network 
device from said client device; 

forwarding said user_name and said user credentials to said central 
authentication server from said network device; and 

employing said user_name and said user credentials for 
authenticating said user at said central authentication server. 

47. (withdrawn) The computer implemented method as recited in Claim 46 
further comprising: 

provided said user is authenticated at said central authentication 
server: 

sending a success message to said network device at said 
central authentication server; 

forwarding said success message to said client device at said 
network device; 

allowing said client device to access said controlled network at 
said network device; and 

provided said user is not authenticated at said central authentication 
server: 

sending a failure message to said network device at said central 
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authentication server; 

forwarding said failure message to said client device at said 
network device; 

disallowing said client device access to said controlled network 
at said network device. 

48. (currently amended) The computer implemented method as recited in 
Claim 41 wherein amd firot oloctronic devioo io a client dgvico and oaid 
second olectronio dovio e said network access point is-a is the central 
authentication server. 

49. (currently amended) The computer implemented method of Claim 48 
wherein a network dovioo io employed for providing said network access 
point provides an interface between said unauthenticated client device and 
said central authentication server. 

50. (currently amended) The computer implemented method of Claim 49 
wherein step a) comprises: 

receiving a first standard message from said unauthenticated client 
device at said network device access point: 

forwarding said first standard message to said central authentication 
server from said network device access point ; and 

receiving said first standard message from said network devic e access 
point at said central authentication server whereby said unauthenticated 
client device is identified to said central authentication server. 



17 



3730.US.P 
Young, et al. 
10/016,558 

5 1 . (currently amended) The computer implemented method as recited in 
Claim 50 further comprising: 

sending a second standard message to said network device access 
point from said central authentication server; and 

forwarding said second standard message to said unauthenticated 
client device from said network device access point , whereby said central 
authentication server is authenticated to said unauthenticated client device, 

52. (currently amended) The computer implemented method as recited in 
Claim 50 wherein said step c) comprises: 

sending a third standard message to said network devic e access point 
from said unauthenticated client device; and 

forwarding said third standard message to said central authentication 
server from said network devic e access point , whereby said unauthenticated 
client device is authenticated to said central authentication server to produce 
an authenticated client device . 

53. (original) The computer implemented method as recited in Claim 50 
wherein said first standard message comprises a standard EAP-TLS protocol 
message. 

54. (currently amended) The computer implemented method as recited in 
Claim 51 wherein said second standard message comprises a key exchange 
from said central authentication server to said unauthenticated client device. 
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55. (original) The computer implemented method as recited in Claim 51 
wherein said second standard message comprises a standard EAP-TLS 
protocol message, 

56. (currently amended) The computer implemented method as recited in 
Claim 52 wherein said third standard message comprises a key exchange 
from said unauthenticated client device to said central authentication server. 

57. (original) The computer implemented method as recited in Claim 52 
wherein said third standard message comprises a standard EAP-TLS 
protocol message. 

58. (currently amended) The computer implemented method as recited in 
Claim 41 wherein said firot olootronic unauthenticated client device and said 
second oleotronic dovice network access point are communicatively coupled 
by a wireless connection. 

59. (currently amended) The computer implemented method as recited in 
Claim 41 wherein said firot oloctronic unauthenticated client device and said 
Gocond oloctronic devic e network access point are communicatively coupled 
by a wired connection. 

60. (withdrawn) The computer implemented method as recited in Claim 42 
wherein said network device is a wireless network access point. 
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